Chapter 28

TCP/IP Protocol Suite 1

Chapter 28Chapter 28

Upon completion you will be able to:

SecuritySecurity

• Differentiate between two categories of cryptography schemes • Understand four aspects of security• Understand the concept of digital signature• Understand the role of key management in entity authentication• Know how and where IPSec, TLS, and PPG provide security

Objectives


28.1 CRYPTOGRAPHY

The word cryptography in Greek means “secret writing.” The term today The word cryptography in Greek means “secret writing.” The term today refers to the science and art of transforming messages to make them refers to the science and art of transforming messages to make them secure and immune to attacks.secure and immune to attacks.

The topics discussed in this section include:The topics discussed in this section include:

Symmetric-Key Cryptography Symmetric-Key Cryptography Asymmetric-Key Cryptography Asymmetric-Key Cryptography Comparison Comparison


Figure 28.1 Cryptography components


In cryptography, the encryption/decryption algorithms are

public; the keys are secret.

Note:Note:


In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared.

Note:Note:


Figure 28.2 Symmetric-key cryptography


In symmetric-key cryptography, the same key is used in both directions.

Note:Note:


Figure 28.3 Caesar cipher


Figure 28.4 Transpositional cipher


Figure 28.5 DES


Figure 28.6 Iteration block


Figure 28.7 Triple DES


The DES cipher uses the same concept as the Caesar cipher, but the

encryption/ decryption algorithm is much more complex.

Note:Note:


Figure 28.8 Public-key cryptography


Figure 28.9 RSA


Symmetric-key cryptography is often used for long messages.

Note:Note:


Asymmetric-key algorithms are more efficient for short messages.

Note:Note:


28.2 PRIVACY

Privacy means that the sender and the receiver expect confidentiality. Privacy means that the sender and the receiver expect confidentiality. The transmitted message must make sense to only the intended receiver. The transmitted message must make sense to only the intended receiver. To all others, the message must be unintelligible.To all others, the message must be unintelligible.


Privacy with Symmetric-Key Cryptography Privacy with Symmetric-Key Cryptography Privacy with Asymmetric-Key Cryptography Privacy with Asymmetric-Key Cryptography


Figure 28.10 Privacy using symmetric-key encryption


Figure 28.11 Privacy using asymmetric-key encryption


Digital signature can provide authentication, integrity, and

nonrepudiation for a message.

Note:Note:


28.3 DIGITAL SIGNATURE

Digital signature can provide authentication, integrity, and Digital signature can provide authentication, integrity, and nonrepudiation for a message. nonrepudiation for a message.


Signing the Whole Document Signing the Whole Document Signing the Digest Signing the Digest


Figure 28.12 Signing the whole document


Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption

must be applied.

Note:Note:


Figure 28.13 Hash function


Figure 28.14 Sender site


Figure 28.15 Receiver site


28.4 ENTITY AUTHENTICATION

Entity authentication is a procedure that verifies the identity of one Entity authentication is a procedure that verifies the identity of one entity for another. An entity can be a person, a process, a client, or a entity for another. An entity can be a person, a process, a client, or a server. In entity authentication, the identity is verified once for the entire server. In entity authentication, the identity is verified once for the entire duration of system access.duration of system access.


Entity Authentication with Symmetric-Key Cryptography Entity Authentication with Symmetric-Key Cryptography Entity Authentication with Asymmetric-Key Cryptography Entity Authentication with Asymmetric-Key Cryptography


Figure 28.16 Using a symmetric key only


Figure 28.17 Using a nonce


Figure 28.18 Bidirectional authentication


28.5 KEY MANAGEMENT

In this section we explain how symmetric keys are distributed and how In this section we explain how symmetric keys are distributed and how public keys are certified. public keys are certified.


Symmetric-Key Distribution Symmetric-Key Distribution Public-Key Certification Public-Key Certification Kerberos Kerberos


A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed

when the session is over.

Note:Note:


Figure 28.19 Diffie-Hellman method


The symmetric (shared) key in the Diffie-Hellman protocol is

K = G xy mod N.

Note:Note:


Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows:

1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.

2. Alice sends the number 21 to Bob.

3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.

4. Bob sends the number 4 to Alice.

5. Alice calculates the symmetric key K = 43 mod 23 = 18.

6. Bob calculates the symmetric key K = 216 mod 23 = 18.

The value of K is the same for both Alice and Bob; G xy mod N = 718 mod 23 = 18.

Example 1


Figure 28.20 Man-in-the-middle attack


Figure 28.21 First approach using KDC


Figure 28.22 Needham-Schroeder protocol


Figure 28.23 Otway-Rees protocol


In public-key cryptography, everyone has access to everyone’s public key.

Note:Note:


Table 28.1 X.509 fieldsTable 28.1 X.509 fields


Figure 28.24 PKI hierarchy


Figure 28.25 Kerberos servers


Figure 28.26 Kerberos example


28.6 SECURITY IN THE INTERNET

In this section we discuss a security method for each of the top 3 layers In this section we discuss a security method for each of the top 3 layers of the Internet model. At the IP level we discuss a protocol called IPSec; of the Internet model. At the IP level we discuss a protocol called IPSec; at the transport layer we discuss a protocol that “glues” a new layer to at the transport layer we discuss a protocol that “glues” a new layer to the transport layer; at the application layer we discuss a security method the transport layer; at the application layer we discuss a security method called PGP.called PGP.


IP Level Security: IPSec IP Level Security: IPSec Transport Layer Security Transport Layer Security Application Layer Security: PGP Application Layer Security: PGP


Figure 28.27 Transport mode


Figure 28.28 Tunnel mode


Figure 28.29 AH


The AH protocol provides message authentication and integrity,

but not privacy.

Note:Note:


Figure 28.30 ESP


ESP provides message authentication, integrity, and privacy.

Note:Note:


Figure 28.31 Position of TLS


Figure 28.32 TLS layers


Figure 28.33 Handshake protocol


Figure 28.34 Record Protocol


Figure 28.35 PGP at the sender site


Figure 28.36 PGP at the receiver site


28.7 FIREWALLS

A firewall is a device (usually a router or a computer) installed between A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.designed to forward some packets and filter (not forward) others.


Packet-Filter Firewall Packet-Filter Firewall Proxy Firewall Proxy Firewall


Figure 28.37 Firewall


Figure 28.38 Packet-filter firewall


A packet-filter firewall filters at the network or transport layer.

Note:Note:


Figure 28.39 Proxy firewall


A proxy firewall filters at the application layer.

Note:Note:

Date post:	02-Jan-2016
Category:	Documents
Upload:	noelle-porter
View:	31 times
Download:	1 times

Chapter 28

Documents